Apple has released emergency security updates for various devices, including iPhones, iPads, Macs, Apple Watch, Apple TV and Safari. These updates fix several security vulnerabilities, including a zero-day bug actively used in the wild.

The specific vulnerability, tracked as CVE-2023-38606, affects the kernel and allows a malicious application to potentially alter the sensitive kernel state. Apple has addressed this issue with improved state management. The company is aware that this bug is actively used in iOS versions released prior to iOS 15.7.

This is the third vulnerability linked to Operation Triangle, an advanced cyberespionage campaign targeting iOS devices since 2019. Two other zero-days, CVE-2023-32434 and CVE-2023-32435, were patched by Apple the previous month.

Security updates are available for a variety of iOS and iPadOS devices, including:

• iPhone 8 and later,
• iPad Pro (all models),
• iPad Air 3rd generation and later,
• iPad 5th generation and later, and
• iPad mini 5th generation and later.

Also covered are:

• Apple TV 4K (all models), Apple TV HD, and
• Apple Watch Series 4 and later,
• macOS Ventura 13.5,
• macOS Monterey 12.6.8, and
• macOS Big Sur 11.7.9.

With this latest release, Apple has addressed a total of 11 zero-day vulnerabilities affecting its software since the beginning of 2023.

This update follows the company’s emergency fixes two weeks ago for an active bug in WebKit that could lead to arbitrary code execution (CVE-2023-37450).

In this context, it is recommended to use up-to-date versions with the vulnerability in order not to be the target of attacks that can be carried out using the vulnerability.